One of the steps that can be taken when performing a vulnerability assessment is to review the available documentation from multiple sources, including:

• Incidents—If any security incidents have occurred, the documentation from the incident should be reviewed. Often, the cause of an incident is directly related to a vulnerability. For example, a successful buffer overflow attack on an Internet-facing server may have resulted in a malware infection, which may indicate that the system is not being updated often enough.
• Outage reports—Any outage that has affected the mission of the business can be investigated. If the outage affected the bottom line, a vulnerability can probably be identified.
• Assessment reports—Past assessment reports should be reviewed to identify common problems and problems that have not been corrected.

In addition to reviewing past assessment reports, other information can be reviewed to determine vulnerabilities. The three common sources of information are system logs, audit trails, and intrusion detection systems (IDSs). There is no particular order in which they should be reviewed. However, if the network has the data available, all of it should be reviewed.

Intrusion Detection and Prevention System Outputs

An intrusion detection and prevention system (IDPS) is able to monitor a network or system, capture network traffic, and send an alert when an intrusion is detected. A host-based IDS is installed on a single system. A network-based IDS has several monitoring agents installed throughout the network that report to a central server. A signature-based IDS detects attacks based on known malicious attack sequences or patterns. An anomaly-based IDS employs machine learning algorithms to detect unknown malware attacks. FIGURE 8-3 shows an example of a network-based IDS with three monitoring agents installed on the network.

One monitoring agent is on the Internet side, one is in the demilitarized zone (DMZ), and one is on the internal network. An examination of the output of an IDS will reveal several key points. These three agents work together to identify what type of attacks are launched against the network, and they provide insight into the success of different mitigation techniques.

Events from agent 1 show how many attacks are launched against a network from the Internet. Events from agent 2 identify the attacks that are able to get through the external firewall, which shows the effectiveness of the firewall against specific types of attacks and helps reveal the vulnerabilities for any public-facing servers in the DMZ. Agent 3 shows the attacks that are able to get through the second firewall of the DMZ. These attacks on an internal network can be very damaging if not addressed.

Although the focus of Figure 8-3 is on attacks from the Internet, internal attacks are also possible. The network agent on the internal network monitors for internal attacks. A network having several internal agents installed to monitor an internal network is common.

Internal attacks aren’t necessarily from malicious users. They are often from malware that has infected one or more systems on the network. However, the benefit of a network-based IDS is early detection of an infection.

Many tools are available to perform vulnerability scans within a network. Some of the more commonly used tools include Nmap, Nessus, SATAN, and SAINT.

These tools provide several benefits, some of which include:

• Identifying vulnerabilities—They provide a fast and easy method to identify vulnerabilities. The scan is run and then the report is analyzed.
• Scanning systems and network—Vulnerability scanners can inspect and detect problems on the network and on individual hosts; detect vulnerabilities based on the operating system, applications, and services installed on the host; and detect open ports and access points on the network.
• Providing metrics—A key part of management is measurement. If something can be measured, its progress can be identified, and this is also true with vulnerabilities. At the beginning of running regular vulnerability scans, the scans will likely discover many vulnerabilities. Six months later, if the metrics are analyzed, the analysis should show that the issues have been significantly reduced. If they have not been reduced, then other problems are involved. If all of the same vulnerabilities are present six months after the first scan, the vulnerabilities are not getting fixed.
• Documenting results—The resulting documentation provides input for internal reports compliance. Scanner reports can be used to prove compliance with different laws and regulations.

Vulnerability scanners do have weaknesses. First, they must be updated regularly because threats and systems change. Therefore, the scans must also change to ensure they are looking for both past and current vulnerabilities.

Second, many scanners have a high false-positive error rate. In other words, they incorrectly indicate a vulnerability exists. While this can be annoying, it makes sense from a security perspective. If there’s a possibility for error, the scanner errs on the side of too many warnings, instead of not enough. Here are two examples:

• A system is vulnerable, but the scans are not detecting the vulnerabilities. This situation can occur from a low false-positive error rate.
• A system is not vulnerable, but the scans keep identifying vulnerabilities. This situation can occur from a high false-positive error rate.

Most security professionals want to avoid the first scenario. They don’t want their systems to have unreported vulnerabilities.

Last, some scanners can generate a lot of network traffic, which could interfere with normal operations if the network is already busy.

Audits are performed to check compliance with rules and guidelines. A vulnerability assessment audit specifically checks an organization’s compliance with in-place internal policies.

For example, an organization may have a policy in place related to employees who leave the company. The policy may state that user accounts should be immediately disabled if an employee leaves and, six months later, deleted.

An audit determines whether the policy is being followed. The audit can be quick and automated if the auditor has scripting skills. The auditor could write a script to check for enabled accounts that haven’t been used in the past 15 days. The output is then checked with the human resources department to determine whether any of these users are still employed. A similar script could be used to determine whether any accounts exist that haven’t been used in the past six months.

Personnel interviews could be completed to gain insight into possible new issues. For example, personnel could be asked what they consider to be current vulnerabilities. Often, employees know what the issues are, but they aren’t asked.

In addition, personnel can be interviewed to identify their security knowledge. For example, employees could be asked when it is acceptable to give out their password. A secure organization will have a policy in place stating that users should never give out their password to anyone.

Process analysis is performed in some systems to determine whether vulnerabilities exist in their processes. In other words, instead of just looking at the output, the processes used to determine the output are evaluated. Output analysis, on the other hand, is performed by examining the output to determine whether a vulnerability exists.

Neither analysis is superior to the other. However, there are times when one will be preferable over the other. For example, the effectiveness of a firewall may be a concern. Firewalls use rules to determine whether traffic is allowed. Either process analysis or output analysis can be used to determine the effectiveness of the firewall.

FIGURE 8-4 shows that the firewall is blocking and allowing traffic into and out of the network. Process analysis requires reviewing all the rules to determine whether they provide the desired security. Output analysis examines the input and output of the firewall to determine whether only desired traffic is allowed through the firewall.

If the firewall has only five rules, process analysis would be completed rather easily. However, if the firewall has over 100 rules, output analysis may be easier to perform.

System testing is used to test individual systems for vulnerabilities. These systems include individual servers and individual end user systems. The primary testing performed on systems is related to patches and updates because the majority of vulnerabilities occur because of bugs that are resolved by patching. For example, a company could have a bank of servers that are running Microsoft Windows Server 2012. Several patches and updates have been released for the servers since they’ve been installed. System testing queries the servers to determine whether they are up to date.

System testing could be done with traditional management tools, vulnerability assessment tools, or both. Microsoft includes traditional tools, such as Windows Server Update Services (WSUS) and System Center 2012 Configuration Manager (ConfigMgr). Each of these server products can query systems in the network and ensure they have all the appropriate updates. If a system doesn’t have an update, WSUS or ConfigMgr can push the update to the system and double-check to ensure it has been installed. For example, Microsoft Security Bulletin MS14-011 identified a critical vulnerability in the VBScript scripting engine in Microsoft Windows. This vulnerability could allow remote code execution if a user visited a specially crafted website. The remote code could install malware. Information about this vulnerability is available at http://go.microsoft.com/fwlink/?LinkID=391023.

Microsoft has released updates for all affected systems. Any system that doesn’t have the update related to MS14-011 is vulnerable. WSUS and ConfigMgr can be used to check clients for the vulnerability and deploy the appropriate updates.

As an additional check, vulnerability assessment tools can verify that systems have appropriate updates, but most of them don’t deploy the updates.

Access Controls Testing

Access controls testing verifies user rights and permissions. A right grants the authority to perform an action on a system, such as to restart it. A permission grants access to a resource, such as a file or printer.

Most organizations have administrative models in place that specify what rights and permissions regular users are granted. These models ensure that users have what they need to perform their job but no more. They help support security principles of least privilege and need to know.

In FIGURE 8-5, a company has certain resources that only sales personnel should access and other resources that only IT department personnel should access. Access restrictions are enforced by putting employees into the appropriate groups and assigning permissions to the group.

All members of the sales group automatically have access to the sales resources, and all members of the IT group automatically have access to the IT resources. Members of the sales group do not have access to IT department resources just as members of the IT group do not have access to sales department resources.

Similarly, only certain users within an organization should have administrative rights to systems. Even though from a usability perspective, granting everyone administrative access would be easier to implement, doing so would sacrifice security. It violates the principle of least privilege by giving all users rights to do anything, and it violates the principle of need to know by granting all users access to all data in the organization.

Security or Usability?

A company has grown explosively in a short time and is now faced with some basic technical challenges. The company has a single administrator managing the entire network. Although this administrator managed the network well when the company was smaller, he is now overwhelmed by the company’s growth.

He is faced with two competing goals: security and usability. Users request changes to their rights and permissions more and more often. He understands that rights and permissions ensure that users have only what they need to perform their job. He also understands the value of the principles of least privilege and need to know. Instead of just making the changes, he tries to investigate the need. These delays result in complaints to his manager.

The administrator expresses his need to the manager for additional help. He also tries to explain the purpose of access controls to the manager. Unfortunately, he is unable to get any additional help. The manager stresses that he doesn’t want to hear any more complaints from users needing additional access.

In this situation, the manager is focused on usability, and the administrator is focused on security. However, the manager is the boss, so what he says goes.

Two things happen. First, the administrator adds all users to administrator accounts, which ensures that all users will always have access to anything they need. It also ensures that the manager will not hear any more complaints about access controls. Second, the administrator begins looking for another job because he understands that it is just a matter of time before these changes will cause problems. At the very least, they will result in a loss of confidentiality.

Access controls testing verifies that the users are granted the rights and permissions needed to perform their jobs and no more. It ensures that an administrative model is used as it was designed.

When performing vulnerability testing, each of the seven domains of a typical IT infrastructure should be considered. These seven domains were mentioned earlier and are shown in Figure 8-2.

Vulnerabilities exist in each of the domains. The focus can be on only one domain at a time, but all seven domains should be examined on a regular basis.

A company may have tools that are focused on only the LAN Domain or the LAN-to-WAN Domain. However, if this is the only vulnerability testing the company does, the testing is missing many other potential problems. For example, social engineering attacks against the User Domain are often successful simply because users don’t understand the risks.

The following best practices apply to most of the domains:

• Identifying assets first—Asset management helps to identify which resources to protect. Not all assets need vulnerability assessments, only the valuable ones.
• Ensuring scanners are kept up to date—Vulnerability scanners need to be updated regularly, which is similar to how antivirus software needs to be updated with malware definitions. An antivirus program that isn’t kept up to date is only marginally better than no antivirus program at all, which is also true for a vulnerability scanner.
• Performing internal and external checks—Attacks can come from internal and external sources, so vulnerability assessments should be performed from internal and external locations. Check for vulnerabilities behind the firewall; from outside the firewall; and, with a DMZ, from the Internet into the DMZ.
• Documenting the results—The results of every vulnerability assessment should be documented. This documentation can be used in several ways. Older results can be compared against current results to track progress. Some vulnerability assessments can be used to document compliance with laws and regulations.
• Providing reports—Reports that summarize the important findings and provide recommendations are presented to management.